From: Tom Tucker <tom@opengridcomputing.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: tom@ogc.us, Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: question about map_read_chunks()
Date: Mon, 20 Feb 2012 12:44:57 -0600 [thread overview]
Message-ID: <4F4294A9.20308@opengridcomputing.com> (raw)
In-Reply-To: <20120220182003.GL2912@mwanda>
Hi Dan,
> ----- Forwarded message from Dan Carpenter<dan.carpenter@oracle.com> -----
>
> Date: Mon, 20 Feb 2012 12:50:19 +0300
> From: Dan Carpenter<dan.carpenter@oracle.com>
> To: Tom Tucker<tom@ogc.us>
> Cc: "J. Bruce Fields"<bfields@redhat.com>, netdev@vger.kernel.org, linux-nfs@vger.kernel.org
> Subject: question about map_read_chunks()
>
> I had a couple questions about some map_read_chunks().
>
> net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
>
> 150 ch_bytes = ntohl(ch->rc_target.rs_length);
> ^^^^^^^^
> It look like this is 32 bits from the network?
Yes, it is. All these values should be clamped by the wsize/rsize,
however, I don't think we enforce that. We should add a check to
svc_rdma_xdr_decode_req().
>
> 151 head->arg.head[0] = rqstp->rq_arg.head[0];
> 152 head->arg.tail[0] = rqstp->rq_arg.tail[0];
> 153 head->arg.pages =&head->pages[head->count];
> 154 head->hdr_count = head->count; /* save count of hdr pages */
> 155 head->arg.page_base = 0;
> 156 head->arg.page_len = ch_bytes;
> 157 head->arg.len = rqstp->rq_arg.len + ch_bytes;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Can overflow.
Without the proposed check, it can.
> 158 head->arg.buflen = rqstp->rq_arg.buflen + ch_bytes;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Same. I didn't follow it through to see if an overflow matters. Does
> it?
I think it could cause bad things to happen, yes.
>
> 159 head->count++;
> 160 chl_map->ch[0].start = 0;
> 161 while (byte_count) {
> 162 rpl_map->sge[sge_no].iov_base =
> 163 page_address(rqstp->rq_arg.pages[page_no]) + page_off;
> 164 sge_bytes = min_t(int, PAGE_SIZE-page_off, ch_bytes);
> ^^^
> This is the wrong cast to use. A large ch_bytes would be counted as a
> negative value and get around the cap here.
I suppose, in theory, we could have a r/wsize > 2G, in which case, you are
correct.
> 165 rpl_map->sge[sge_no].iov_len = sge_bytes;
>
> regards,
> dan carpenter
>
I think adding a check to svc_rdma_xdr_decode_req() would avoid any
possibility of overflow. I'll code up a patch.
Thanks,
Tom
next parent reply other threads:[~2012-02-20 18:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20120220182003.GL2912@mwanda>
2012-02-20 18:44 ` Tom Tucker [this message]
2012-02-20 9:50 question about map_read_chunks() Dan Carpenter
2013-09-27 12:21 ` Dan Carpenter
2013-09-27 15:23 ` Tom Tucker
2013-09-27 20:15 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F4294A9.20308@opengridcomputing.com \
--to=tom@opengridcomputing.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=tom@ogc.us \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).